No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - VPN 01

NE05E and NE08E V300R003C10SPC500

This is NE05E and NE08E V300R003C10SPC500 Configuration Guide - VPN
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring IPv6 Hub and Spoke (IPv6)

Configuring IPv6 Hub and Spoke (IPv6)

In the Hub and Spoke networking, an access control device is specified in the VPN, and users communicate with each other through the access control device.

Usage Scenario

If it is required that an access control device be specified in the VPN and all the users access the VPN through this access control device, you can deploy the Hub and Spoke networking so that all the data exchanged between Spoke sites flow through the Hub site.

On the network shown in Figure 6-7, Site1 and Site2 in VPN1 communicate with each other through Site3. In such a scenario, you can deploy an access control device at Site 3 to monitor the communication between Site1 and Site2.

Figure 6-7 Diagram of the Hub-Spoke networking

Pre-configuration Tasks

Before configuring Hub and Spoke, complete the following tasks:

  • Configuring an IGP on the MPLS backbone network to implement IP interworking

  • Configuring the basic MPLS capability and establish an LDP LSP between PEs

  • Configuring an IP address for the interface connecting the CE to the PE

Configuration Procedures

Figure 6-8 Flowchart for configuring Hub and Spoke

Configuring a VPN Instance

A VPN instance can be configured on a PE to manage VPN routes.

Context

In the Hub and Spoke networking, the PE connected to a central site (Hub site) is called a Hub-PE and the PE connected to a non-central site (Spoke site) is called a Spoke-PE.

You need to configure a VPN instance on each Spoke-PE and two VPN instances (VPN-in and VPN-out) on each Hub-PE.
  • VPN-in is used to receive and maintain the VPNv6 routes advertised by all the Spoke-PEs.

  • VPN-out is used to maintain the routes of the Hub site and all the Spoke sites and advertise the routes to all Spoke-PEs.

NOTE:

Steps 1 to 8 are performed to configure one VPN instance. Configurations of different VPN instances are similar. Note that the different VPN instances on the same device must have different names, RDs, and description.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ip vpn-instance vpn-instance-name

    A VPN instance is created and the VPN instance view is displayed.

    The name of a VPN instance is case sensitive. For example, "vpn1" and "VPN1" are two different VPN instances.

  3. (Optional) Run description description-information

    The description of the VPN instance is configured.

    The description is used to record the purpose of creating the VPN instance and the CEs with which the VPN instance sets up connections.

  4. Run ipv6-family

    The IPv6 address family is enabled for the VPN instance and the VPN instance IPv6 address family view is displayed.

  5. Run route-distinguisher route-distinguisher

    An RD is configured for the VPN instance IPv6 address family.

    The VPN instance IPv6 address family takes effect only after an RD is configured. Before configuring an RD, you can configure only the description about the VPN instance. No other parameters can be configured.

  6. (Optional) Run apply-label per-route pop-go

    The device is configured to assign a unique label to each VPNv6 route sent to its BGP VPNv6 peer and forward the data packets received from its BGP VPNv6 peer through outbound interfaces found in the local ILM.

    By default, the local device assigns a unique label to each VPNv6 route sent to its BGP VPNv6 peer. After the local device receives a labeled data packet from its BGP VPNv6 peer, the local device removes the label, searches the IP forwarding table for a forwarding entry according to the longest-match principle, and sends the packet based on the found forwarding entry.

    After the apply-label per-route pop-go command is configured, the local device records in the ILM the mapping between the label assigned to each VPNv6 route and the outbound interface of the route. Then, after the local device receives a labeled data packet from its BGP VPNv6 peer, the local device directly searches the ILM for an outbound interface based on label information carried in the packet and forwards the packet through the found outbound interface after removing its label. This implementation significantly accelerates packet forwarding.

    The apply-label per-route pop-go command is mutually exclusive to the apply-label per-instance command. If the two commands are both configured, the later configured one prevails.

  7. (Optional) Run apply-label per-instance

    MPLS label allocation based on VPN instances IPv6 address family is configured. Then, all the routes of the VPN instance IPv6 address family use one label.

    In general, each route is assigned one label (one label per route).

  8. (Optional) Run prefix limit number { alert-percent [ route-unchanged ] | simply-alert }

    The maximum number of prefixes of the VPN instance IPv6 address family is set.

    To prevent a PE from importing excessive prefixes, you can set the maximum number of prefixes supported by the VPN instance IPv6 address family.

  9. Run commit

    The configuration is committed.

Configuring Routing Attributes for a VPN Instance

In the networking of Hub and Spoke, you can configure VPN targets on the Hub-PE and Spoke PEs to control the advertisement of VPN routes. The import VPN target configured on the Hub-PE must contain the export VPN targets configured on all the Spoke-PEs. The export VPN target configured on the Hub-PE must contain the import VPN targets configure on all the Spoke-PEs.

Context

Controlling the advertisement of VPN routes by configuring VPN targets is also a key part of the Hub and Spoke solution.

Procedure

  • Configuring the Hub-PE
    1. Run system-view

      The system view is displayed.

    2. Run ip vpn-instance vpn-instance-name1

      The VPN instance view of VPN-in is displayed.

    3. Run ipv6-family

      The VPN instance IPv6 address family view is displayed.

    4. Run vpn-target vpn-target1 &<1-8> import-extcommunity

      The VPN target extended community is configured for the VPN instance IPv6 address family to receive the VPNv6 routes advertised by all the Spoke-PEs.

      The vpn-target1 list here must contain the export VPN targets configured on all the Spoke-PEs.

    5. (Optional) Run import route-policy policy-name

      A routing policy for importing VPN routes is configured.

      In addition to using a VPN target to control VPN route sending and receiving, an import routing policy can be used to filter routes imported to the VPN instance IPv6 address family or modify route attributes so that VPN route receiving can be better controlled.

    6. (Optional) Run export route-policy policy-name [ add-ert-first ]

      A routing policy for exporting VPN routes is configured.

      In addtition to using a VPN target to control VPN route sending and receiving, an export routing policy can be used to filter routes to be advertised to other PEs or modify route attributes so that VPN route sending can be better controlled.

      By default, ERTs are added to VPN routes before these routes are matched against an export routing policy. If the export routing policy contains RT-related filtering rules, these rules cannot apply to these routes. If you want to apply the RT-related filtering rules defined in an export routing policy to VPN routes, run the add-ert-first command to configure the system to add ERTs to VPN routes before matching these routes against the export routing policy.

    7. Run quit

      Return to the system view.

    8. Run ip vpn-instance vpn-instance-name2

      The VPN instance view of VPN-out is displayed.

    9. Run ipv6-family

      The VPN instance IPv6 address family view is displayed.

    10. Run vpn-target vpn-target2 &<1-8> export-extcommunity

      The VPN target extended community is configured for the VPN instance IPv6 address family to advertise the routes of all the Hub sites and Spoke sites.

      The vpn-target2 list here must contain the import VPN targets configured on all the Spoke-PEs.

    11. (Optional) Run import route-policy policy-name

      A routing policy for importing VPN routes is configured.

      In addition to using a VPN target to control VPN route sending and receiving, an import routing policy can be used to filter routes imported to the VPN instance IPv6 address family or modify route attributes so that VPN route receiving can be better controlled.

    12. (Optional) Run export route-policy policy-name [ add-ert-first ]

      A routing policy for exporting VPN routes is configured.

      In addtition to using a VPN target to control VPN route sending and receiving, an export routing policy can be used to filter routes to be advertised to other PEs or modify route attributes so that VPN route sending can be better controlled.

      By default, ERTs are added to VPN routes before these routes are matched against an export routing policy. If the export routing policy contains RT-related filtering rules, these rules cannot apply to these routes. If you want to apply the RT-related filtering rules defined in an export routing policy to VPN routes, run the add-ert-first command to configure the system to add ERTs to VPN routes before matching these routes against the export routing policy.

    13. Run commit

      The configuration is committed.

  • Configuring the Spoke-PE
    1. Run system-view

      The system view is displayed.

    2. Run ip vpn-instance vpn-instance-name1

      The VPN instance view of VPN-in is displayed.

    3. Run ipv6-family

      The VPN instance IPv6 address family view is displayed.

    4. Run vpn-target vpn-target2 &<1-8> import-extcommunity

      The VPN target extended community is configured for the VPN instance IPv6 address family to receive the VPNv6 routes advertised by the Hub-PE.

      vpn-target2 must be in the export VPN target list configured on the Hub-PE.

    5. Run vpn-target vpn-target1 &<1-8> export-extcommunity

      The VPN target extended community is configured for the VPN instance IPv6 address family to advertise the routes of the sites the Spoke-PEs access.

      vpn-target1 must be in the import VPN target list configured on the Hub-PE.

    6. (Optional) Run import route-policy policy-name

      A routing policy for importing VPN routes is configured.

      In addition to using a VPN target to control VPN route sending and receiving, an import routing policy can be used to filter routes imported to the VPN instance IPv6 address family or modify route attributes so that VPN route receiving can be better controlled.

    7. (Optional) Run export route-policy policy-name [ add-ert-first ]

      A routing policy for exporting VPN routes is configured.

      In addtition to using a VPN target to control VPN route sending and receiving, an export routing policy can be used to filter routes to be advertised to other PEs or modify route attributes so that VPN route sending can be better controlled.

      By default, ERTs are added to VPN routes before these routes are matched against an export routing policy. If the export routing policy contains RT-related filtering rules, these rules cannot apply to these routes. If you want to apply the RT-related filtering rules defined in an export routing policy to VPN routes, run the add-ert-first command to configure the system to add ERTs to VPN routes before matching these routes against the export routing policy.

    8. Run commit

      The configuration is committed.

Binding an Interface to a VPN Instance

By binding an interface to a VPN instance, you can change the interface to a VPN interface. Then, packets entering this interface are forwarded according to the forwarding information of the VPN instance.

Context

The configuration on the Hub-PE involves two interfaces or sub-interfaces:

  • One is bound to VPN-in for receiving the routes advertised by Spoke-PEs.

  • One is bound to VPN-out for advertising the routes of all the Hub sites and Spoke sites.

Do as follows on the Hub-PE and all the Spoke-PEs:

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The view of the interface to be bound to the VPN instance is displayed.

  3. Run ip binding vpn-instance vpn-instance-name

    The interface is bound to a VPN instance.

    NOTE:

    After the ip binding vpn-instance command is run on an interface, the Layer 3 features such as the IP address and routing protocol configured on the interface are deleted.

  4. Run ipv6 enable

    IPv6 is enabled on the interface.

  5. Run ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }

    An IPv6 address is configured for the interface.

    Some Layer 3 features such as route exchange between the PE and CE can be configured only after an IPv6 address is configured for the VPN interface on the PE.

  6. Run commit

    The configuration is committed.

Configuring Route Exchange Between a Hub-PE and a Spoke-PE

By importing extended community attributes to BGP, MP-IBGP can advertise VPNv6 routes between PEs.

Context

MP-IBGP peer relationships need be established between the Hub-PE and each Spoke-PE. Spoke-PEs need not exchange routes directly and therefore they do not need to establish MP-IBGP peer relationships.

Do as follows on the Hub-PE and all the Spoke-PEs:

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run bgp as-number

    The BGP view is displayed.

  3. Run peer peer-address as-number as-number

    The remote PE is configured as a BGP peer.

  4. Run peer peer-address connect-interface loopback interface-number

    The interface used to establish a TCP connection is specified.

    NOTE:
    PEs must use the loopback interface addresses with 32-bit masks to establish an MP-IBGP peer relationship so that routes can be iterated to the tunnel. The route to the loopback interface is advertised to the peer PE through IGP on the MPLS backbone network.

  5. Run ipv6-family vpnv6 [unicast]

    The BGP VPNv6 sub-address family view is displayed.

  6. Run peer peer-address enable

    The capability of exchanging BGP VPNv6 routing information with the peer is enabled.

  7. Run commit

    The configuration is committed.

Configuring Route Exchange Between a PE and a CE

The routing protocol running between a PE and a CE can be BGP or IGP. A static route (including the default route) can also run between them. You can choose any of them as required.

Context

The routing protocol running between a Spoke-PE and a Spoke-CE is related to the routing protocol run between a Hub-PE and a Hub-CE. EBGP, IGP, and the static route (including the default route) can run between a Hub-PE and a Hub-CE. You can choose any of them as required.

Procedure

  • Configuring EBGP between a Hub-PE and a Hub-CE

    For detailed configuration procedures, see Configuring Route Exchange Between PEs and CEs.

    In this mode, EBGP, IGP, or static route (including the default route) can be run between a Spoke-PE and a Spoke-CE.

    NOTE:

    If EBGP is run both between the Spoke-PE and the Spoke-CE and between the Hub-PE and the Hub-CE, you need to run the peer ip-address allow-as-loop [ number ] command in the BGP-VPN instance IPv6 address family view of the Hub-PE to allow route loops. If number is set to 1, it indicates that the route with the AS numbers in the AS-path list repeated once is allowed.

  • Configuring IGP between a Hub-PE and a Hub-CE

    For detailed configuration procedures, see Configuring Route Exchange Between PEs and CEs.

    In this mode, only IGP or static route (including the default route) can be run between a Spoke-PE and a Spoke-CE. For details, see the chapter "BGP/MPLS IP VPN" in the Feature Description - VPN.

  • Configuring a static route (including the default route) between a Hub-PE and a Hub-CE

    For detailed configuration procedures, see Configuring Route Exchange Between PEs and CEs.

    In this mode, EBGP, IGP, or static route (including the default route) can be run between a Spoke-PE and a Spoke-CE.

    If a Hub-CE adopts the default route to access the Hub-PE, to enable the Hub-PE to advertise the default route to all the Spoke-PEs, you need to run the following commands on the Hub-PE:

    • Run the ipv6 route-static vpn-instance vpn-instance-name :: 0 nexthop-address [ tag tag ] [ description text ] command in the system view.

      In this example, vpn-instance-name specifies VPN-out and nexthop-address specifies the IPv6 address of the Hub-CE interface that connects to the PE interface bound to VPN-out.

    • Run the network :: 0 command in the BGP-VPN instance IPv6 address family view to advertise the default route to all the Spoke-PEs through MP-BGP.

Verifying the Configuration of Hub and Spoke (IPv6)

After configuring hub & spoke, check VPN routing information on the PE or CE.

Prerequisites

Hub & spoke has been configured.

Procedure

  • Run the display ipv6 routing-table vpn-instance vpn-instance-name command to check routing information about VPN-in and VPN-out on the Hub-PE.
  • Run the display ipv6 routing-table command on the Hub-CE and all the Spoke-CEs to check routing information.

Example

After the configuration, run the display ipv6 routing-table vpn-instance vpn-instance-name command, and you can find that the routing table of VPN-in has routes to all the spoke sites and the routing table of VPN-out has routes to the Hub site and all the spoke sites.

<HUAWEI> display ipv6 routing-table vpn-instance vpna
Routing Table : vpna
         Destinations : 6        Routes : 6

Destination  : 1::1                                    PrefixLength : 128
NextHop      : 1001::1                                 Preference   : 255
Cost         : 0                                       Protocol     : EBGP
RelayNextHop : 1001::1                                 TunnelID     : 0x0
Interface    : GigabitEthernet0/1/0                    Flags        : RD

Destination  : 2::2                                    PrefixLength : 128
NextHop      : ::FFFF:2.2.2.9                          Preference   : 255
Cost         : 0                                       Protocol     : IBGP
RelayNextHop : --                                      TunnelID     : LDP LSP
Interface    : LDP LSP                                 Flags        : RD

Destination  : 3::3                                    PrefixLength : 128
NextHop      : ::FFFF:2.2.2.9                          Preference   : 255
Cost         : 0                                       Protocol     : IBGP
RelayNextHop : --                                      TunnelID     : LDP LSP
Interface    : LDP LSP                                 Flags        : RD

Destination  : 1001::                                  PrefixLength : 64
NextHop      : 1001::2                                 Preference   : 0
Cost         : 0                                       Protocol     : Direct
RelayNextHop : ::                                      TunnelID     : 0x0
Interface    : GigabitEthernet0/1/0                    Flags        : D

Destination  : 1001::2                                 PrefixLength : 128
NextHop      : ::1                                     Preference   : 0
Cost         : 0                                       Protocol     : Direct
RelayNextHop : ::                                      TunnelID     : 0x0
Interface    : GigabitEthernet0/1/0                    Flags        : D

Destination  : FE80::                                  PrefixLength : 10
NextHop      : ::                                      Preference   : 0
Cost         : 0                                       Protocol     : Direct
RelayNextHop : ::                                      TunnelID     : 0x0
Interface    : NULL0                                   Flags        : D

After the configuration, run the display ipv6 routing-table command on the Hub-CE, and you can find the routes to the Spoke-CEs.

<HUAWEI> display ipv6 routing-table
Routing Table : _public_
         Destinations : 11       Routes : 11

Destination  : ::1                                     PrefixLength : 128
NextHop      : ::1                                     Preference   : 0
Cost         : 0                                       Protocol     : Direct
RelayNextHop : ::                                      TunnelID     : 0x0
Interface    : InLoopBack0                             Flags        : D

Destination  : ::FFFF:127.0.0.0                        PrefixLength : 104
NextHop      : ::FFFF:127.0.0.1                        Preference   : 0
Cost         : 0                                       Protocol     : Direct
RelayNextHop : ::                                      TunnelID     : 0x0
Interface    : InLoopBack0                             Flags        : D

Destination  : ::FFFF:127.0.0.1                        PrefixLength : 128
NextHop      : ::1                                     Preference   : 0
Cost         : 0                                       Protocol     : Direct
RelayNextHop : ::                                      TunnelID     : 0x0
Interface    : InLoopBack0                             Flags        : D

Destination  : 1::1                                    PrefixLength : 128
NextHop      : 1003::2                                 Preference   : 255
Cost         : 0                                       Protocol     : EBGP
RelayNextHop : 1003::2                                 TunnelID     : 0x0
Interface    : GigabitEthernet0/1/0                    Flags        : RD

Destination  : 2::2                                    PrefixLength : 128
NextHop      : 1003::2                                 Preference   : 255
Cost         : 0                                       Protocol     : EBGP
RelayNextHop : 1003::2                                 TunnelID     : 0x0
Interface    : GigabitEthernet0/1/0                    Flags        : RD

Destination  : 3::3                                    PrefixLength : 128
NextHop      : ::1                                     Preference   : 0
Cost         : 0                                       Protocol     : Direct
RelayNextHop : ::                                      TunnelID     : 0x0
Interface    : LoopBack1                               Flags        : D

Destination  : 1003::                                  PrefixLength : 64
NextHop      : 1003::1                                 Preference   : 0
Cost         : 0                                       Protocol     : Direct
RelayNextHop : ::                                      TunnelID     : 0x0
Interface    : GigabitEthernet0/1/0                    Flags        : D

Destination  : 1003::1                                 PrefixLength : 128
NextHop      : ::1                                     Preference   : 0
Cost         : 0                                       Protocol     : Direct
RelayNextHop : ::                                      TunnelID     : 0x0
Interface    : GigabitEthernet0/1/0                    Flags        : D

Destination  : 1004::                                  PrefixLength : 64
NextHop      : 1004::1                                 Preference   : 0
Cost         : 0                                       Protocol     : Direct
RelayNextHop : ::                                      TunnelID     : 0x0
Interface    : GigabitEthernet0/2/0                    Flags        : D

Destination  : 1004::1                                 PrefixLength : 128
NextHop      : ::1                                     Preference   : 0
Cost         : 0                                       Protocol     : Direct
RelayNextHop : ::                                      TunnelID     : 0x0
Interface    : GigabitEthernet0/2/0                    Flags        : D

Destination  : FE80::                                  PrefixLength : 10
NextHop      : ::                                      Preference   : 0
Cost         : 0                                       Protocol     : Direct
RelayNextHop : ::                                      TunnelID     : 0x0
Interface    : NULL0                                   Flags        : D
Translation
Download
Updated: 2019-01-14

Document ID: EDOC1100058925

Views: 30040

Downloads: 54

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next